Avoid division by zero in hybrid point encoding by botovq · Pull Request #15108 · openssl/openssl

botovq · 2021-05-01T11:17:25Z

In hybrid and compressed point encodings, the form octet contains a bit
of information allowing to calculate y from x. For a point on a binary
curve, this bit is zero if x is zero, otherwise it must match the
rightmost bit of of the field element y / x. The existing code only
considers the second possibility. It could thus incorrecly fail with a
division by zero error as found by Guido Vranken's cryptofuzz.

This commit adds a few explanatory comments to oct2point. The only
actual code change is in the last hunk which adds a BN_is_zero(x)
check to avoid the division by zero.

Checklist

tests are added or updated

botovq · 2021-05-01T11:22:58Z

As mentioned in #15021, I am going to sign the CLA.

romen

LGTM

Thanks for also including a test!

t8m · 2021-05-03T07:14:25Z

Waiting for the CLA to be signed.

test/ectest.c

romen

Even better, good point @slontis!

Formally reapproved.

openssl-machine · 2021-05-04T08:00:18Z

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

t8m · 2021-05-04T12:36:54Z

Have you submitted the CLA already?

t8m · 2021-05-04T12:37:52Z

This will need make update after rebasing before merge as it touches FIPS module sources.

botovq · 2021-05-04T12:48:16Z

@t8m No, not yet. As mentioned in the linked issue, it might take a week or two before I get access to a printer or scanner. I'll do it as soon as I can. Do I need to do 'make update' or is this something the person who merges will do?

romen · 2021-05-04T12:52:28Z

This will need make update after rebasing before merge as it touches FIPS module sources.

@t8m Does this mean that we need to rescope what is considered beta1 blocker?
Up till now this sounded like a bug fix, so something that could be fixed even during the beta period (and back ported to 1.1.1).
Does the new FIPS source checking mechanism change this?

t8m · 2021-05-04T13:52:12Z

Does the new FIPS source checking mechanism change this?

I do not think so. We never said that post beta1 no FIPS relevant source changes are allowed. I suppose we might want to restrict changes to them some time later during the beta cycle but it should be definitely allowed for some while after beta1.

t8m · 2021-05-04T13:55:17Z

Do I need to do 'make update' or is this something the person who merges will do?

I think it can be done by the person who merges but of course feel free to do it yourself if you want. It should also fix the check_update test failure.

openssl-machine · 2021-05-05T13:00:18Z

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

kaduk · 2021-05-09T01:34:00Z

it might take a week or two before I get access to a printer or scanner.

I know that people with neither have been able to do some kind of electronic-only thing in the past, but I don't handle CLA processing so I don't know the details of how :(

romen · 2021-05-09T11:59:32Z

@botovq I will deal with the make update to update the FIPS checksum during merge, as soon as the other tests are finished.

In hybrid and compressed point encodings, the form octet contains a bit of information allowing to calculate y from x. For a point on a binary curve, this bit is zero if x is zero, otherwise it must match the rightmost bit of of the field element y / x. The existing code only considers the second possibility. It could thus incorrecly fail with a division by zero error as found by Guido Vranken's cryptofuzz. This commit adds a few explanatory comments to oct2point. The only actual code change is in the last hunk which adds a BN_is_zero(x) check to avoid the division by zero. Fixes #15021 Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #15108)

Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #15108)

Reviewed-by: Tomas Mraz <[email protected]> (Merged from #15108)

romen · 2021-05-09T12:24:39Z

Merged to master with:

56f0237 Avoid division by zero in hybrid point encoding
e70abb8 Test oct2point for hybrid point encoding of (0, y)
f0f4a46 FIPS checksums update

Thanks @botovq for the contribution and @guidovranken for raising the issue!

romen · 2021-05-09T12:27:13Z

@botovq I tried force pushing to your branch to see if GitHub would recognize the PR as merged rather than closed.

Unfortunately I pushed to master first, so the test was not conclusive.
Sorry for the noise!

richsalz · 2021-05-10T14:13:52Z

access to a printer or scanner

If you have a digitized copy of your signature already, free PDF tools can add it into an existing PDF. Or word-processing programs can also do it. That might helps.

botovq · 2021-05-10T14:18:55Z

On Mon, May 10, 2021 at 07:14:17AM -0700, Rich Salz wrote: > access to a printer or scanner If you have a digitized copy of your signature already, free PDF tools can add it into an existing PDF. Or word-processing programs can also do it. That might helps.

Thanks for the suggestion. I sent the CLA on Friday and it was processed yesterday, so the problem is solved :)

In hybrid and compressed point encodings, the form octet contains a bit of information allowing to calculate y from x. For a point on a binary curve, this bit is zero if x is zero, otherwise it must match the rightmost bit of of the field element y / x. The existing code only considers the second possibility. It could thus incorrecly fail with a division by zero error as found by Guido Vranken's cryptofuzz. This commit adds a few explanatory comments to oct2point. The only actual code change is in the last hunk which adds a BN_is_zero(x) check to avoid the division by zero. Fixes openssl#15021 Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#15108)

Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#15108)

Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#15108)

openssl-machine added the hold: cla required The contributor needs to submit a license agreement label May 1, 2021

romen self-assigned this May 1, 2021

romen added branch: master Applies to master branch triaged: bug The issue/pr is/fixes a bug labels May 1, 2021

romen approved these changes May 1, 2021

View reviewed changes

t8m approved these changes May 3, 2021

View reviewed changes

t8m added the approval: done This pull request has the required number of approvals label May 3, 2021

slontis reviewed May 4, 2021

View reviewed changes

test/ectest.c Outdated Show resolved Hide resolved

botovq force-pushed the point_conversion branch 2 times, most recently from 36ec123 to d4d606e Compare May 4, 2021 02:49

romen approved these changes May 4, 2021

View reviewed changes

t8m approved these changes May 4, 2021

View reviewed changes

t8m closed this May 4, 2021

t8m reopened this May 4, 2021

t8m added approval: done This pull request has the required number of approvals and removed approval: done This pull request has the required number of approvals labels May 4, 2021

romen closed this May 9, 2021

romen reopened this May 9, 2021

openssl-machine removed the hold: cla required The contributor needs to submit a license agreement label May 9, 2021

romen pushed a commit that referenced this pull request May 9, 2021

Test oct2point for hybrid point encoding of (0, y)

e70abb8

Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #15108)

romen added a commit that referenced this pull request May 9, 2021

FIPS checksums update

f0f4a46

Reviewed-by: Tomas Mraz <[email protected]> (Merged from #15108)

romen closed this May 9, 2021

romen force-pushed the point_conversion branch from d4d606e to f0f4a46 Compare May 9, 2021 12:21

romen mentioned this pull request May 9, 2021

EC_POINT_point2oct/EC_POINT_oct2point asymmetry (fixed in LibreSSL) #15021

Closed

romen linked an issue May 9, 2021 that may be closed by this pull request

EC_POINT_point2oct/EC_POINT_oct2point asymmetry (fixed in LibreSSL) #15021

Closed

botovq mentioned this pull request May 14, 2021

Avoid division by zero in hybrid point encoding #15112

Closed

1 task

devnexen pushed a commit to devnexen/openssl that referenced this pull request Jul 7, 2021

Test oct2point for hybrid point encoding of (0, y)

47c194d

Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#15108)

devnexen pushed a commit to devnexen/openssl that referenced this pull request Jul 7, 2021

FIPS checksums update

2afa378

Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#15108)

Uh oh!

Comments

Conversation

botovq commented May 1, 2021

Checklist

Uh oh!

botovq commented May 1, 2021

Uh oh!

romen left a comment

Choose a reason for hiding this comment

Uh oh!

t8m commented May 3, 2021

Uh oh!

Uh oh!

romen left a comment

Choose a reason for hiding this comment

Uh oh!

openssl-machine commented May 4, 2021

Uh oh!

t8m commented May 4, 2021

Uh oh!

t8m commented May 4, 2021

Uh oh!

botovq commented May 4, 2021 via email

Uh oh!

romen commented May 4, 2021

Uh oh!

t8m commented May 4, 2021

Uh oh!

t8m commented May 4, 2021

Uh oh!

openssl-machine commented May 5, 2021

Uh oh!

kaduk commented May 9, 2021

Uh oh!

romen commented May 9, 2021

Uh oh!

romen commented May 9, 2021

Uh oh!

romen commented May 9, 2021

Uh oh!

richsalz commented May 10, 2021

Uh oh!

botovq commented May 10, 2021 via email

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants